Let's Encrypt Fails due to ModSec rule

My domain is: michiganpistol.com

I’m using a control panel to manage my site: Plesk Onyx Version 17.8.11 Update #16

I received the following error with Web Application Firewall (ModSecurity) turned On…

17293822571250189533 66.133.109.36:58902 80 127.0.0.1 80
–23480000-B–
GET /.well-known/acme-challenge/nLhqlYmsng2vJZ8DczTkdvWoYOKsglUI1HUq_ULDcTk HTTP/1.1
Connection: close
Accept: /
Accept-Encoding: gzip
Host: michiganpistol.com
User-Agent: Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)

–23480000-F–
HTTP/1.1 500 Internal Server Error

–23480000-H–
Message: Access denied with code 403 (phase 1). RBL lookup of 36.109.133.66.xbl.spamhaus.org succeeded at REMOTE_ADDR (Illegal 3rd party exploits). [file “C:/Program Files (x86)/Plesk/ModSecurity/rules/tortix/modsec/00_asl_rbl.conf”] [line “51”] [id “350000”] [rev “2”] [msg “Global RBL Match: IP is on the xbl.spamhaus.org Blacklist (Report False Positives to www.spamhaus.org)”] [severity “ERROR”]
Action: Intercepted (phase 1)
Apache-Handler: IIS
Stopwatch: 1533925384790549 8562509 (- - -)
Stopwatch2: 1533925384790549 8562509; combined=17078089, p1=15639, p2=0, p3=0, p4=0, p5=8531225, sr=0, sw=0, l=0, gc=8531225
Producer: ModSecurity for IIS (STABLE)/2.9.1 (http://www.modsecurity.org/); 201404231529.
Server: ModSecurity Standalone
Engine-Mode: “ENABLED”

–23480000-Z–

–aa090000-A–

My concern is over: RBL lookup of 36.109.133.66.xbl.spamhaus.org succeeded at REMOTE_ADDR (Illegal 3rd party exploits). [file “C:/Program Files (x86)/Plesk/ModSecurity/rules/tortix/modsec/00_asl_rbl.conf”] [line “51”] [id “350000”] [rev “2”] [msg “Global RBL Match: IP is on the xbl.spamhaus.org Blacklist (Report False Positives to www.spamhaus.org)”] [severity “ERROR”]
Action: Intercepted (phase 1)

https://www.spamhaus.org/query/ip/66.133.109.3666.133.109.36 is listed in the XBL

https://www.abuseat.org/lookup.cgi?ip=66.133.109.36 – This IP address is infected with, or is NATting for a machine infected with the Conficker malicious botnet.

Disabling ModSecurity rule allows the SSL to be renewed successfully.

@lestaff, could someone confirm whether this IP address is sometimes used for LE validations and whether it’s also on botnet blacklists?

I believe the blacklisting, if true, is almost sure to be a false positive, but it might still be a good idea to request delisting to reduce spurious validation problems.

1 Like

The abuseat.org link (after going through Recaptcha) has enough information to track it down in the VA logs.

It’s worth trying to get delisted, but it’s not possible to totally stop validation attempts for malware sinkhole domains. :confused:

I’ve brought this to the Ops team’s attention. Hopefully LE can get whitelisted from the CBL. Thanks for pointing this out!

3 Likes

We’re trying to engage CBL’s maintainers, but I think the best solution is your workaround: exempting /.well-known/acme-challenge from that category of WAF / ModSecurity rules. This should be low-risk because that path should only contain static files.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.